repository icon
thorsten / phpmyfaq Project repository

phpMyFAQ - Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases

Submit a report

FIRST INTERACTION

WITHIN1 DAY

REVIEW

WITHIN2 DAYS

FIX

WITHIN32 DAYS

Reflected XSS in action
nyeooo
duplicate
Critical
Stored XSS in Attachment File Name
mattzajork
Medium
CVE-2023-5867
Reflected XSS in /admin/index.php
ngductung
High
CVE-2023-5863
Insufficient Session Expiration
nyeooo
High
CVE-2023-5865
CSRF LOGOUT
nyeooo
informative
Medium
Store DOM XSS in FAQ
hainguyen0207
High
CVE-2023-5864
stored XSS Bypass
ahmedvienna
informative
Medium
SQL Error leads to internal Path Disclosure and possible SQL Injection
ahmedvienna
not applicable
Cookie without Secure flag
nyeooo
Medium
CVE-2023-5866
New password can be set as same as the old password
nyeooo
informative
Medium
Store XSS in Mail Setup
hainguyen0207
Critical
CVE-2023-5316
Store XSS in Users
hainguyen0207
High
CVE-2023-5319
XSS at File Upload in FAQ Attachment
hainguyen0207
informative
Medium
Store DOM XSS in FAQ
hainguyen0207
informative
Critical
Store XSS in FAQ Multisites
hainguyen0207
Medium
CVE-2023-5317
File Upload Vulnerability in Categories
hainguyen0207
Medium
CVE-2023-5227
Store DOM XSS in Edit configuration
hainguyen0207
Critical
CVE-2023-5320
stored XSS Bypass leads to Privilege Escalation Account Takeover (ATO) of any Ac...
ahmedvienna
spam
stored XSS Bypass in the TAGS Section and other places in the application
ahmedvienna
Medium
CVE-2023-6889
stored XSS Bypass in the FAQ Fields
ahmedvienna
Medium
CVE-2023-6890
unrestricted File Upload in the FAQ Metadata could lead to huge problems - for e...
ahmedvienna
informative
High
Bypassing the Username Field and letting it blank phpmyfaq
ahmedvienna
not applicable
Stored Xss in Question field due to lack of sanitization in Link.php
chonkysec
High
CVE-2023-4007
CSV Injection while export users
lujiefsi
High
CVE-2023-4006
Reflected Cross-Site Scripting when restoring a backup
nalysius
Medium
CVE-2023-3469
Stored xss in module FAQ News
chucsse
Medium
CVE-2023-2998
Stored XSS in the module named "Add new FAQ"
chucsse
duplicate
Medium
Stored XSS bypass in "FAQ"
mohamedabdelhady933
Medium
CVE-2023-2999
User Registration Misconfiguration
ahmedvienna
not applicable
Insufficient Filtering Leads to Stored Cross Site Scripting at FAQ
choocs
High
CVE-2023-2753
XSS Stored in when Adding a Question
cupc4k3
duplicate
Medium
Email Address Manipulation Vulnerability
cupc4k3
Medium
CVE-2023-2429
Stored Cross Site Scripting at FAQ Answer
choocs
High
CVE-2023-2752
Cross site scripting vulnerability in throsten /phpmyfaq
asura-n
Medium
CVE-2023-2427
Stored cross site scripting vulnerability in thorsten/phpmyfaq
asura-n
Medium
CVE-2023-2428
Stored xss in Comments -
panveanyy
informative
High
Multiple Stored XSS via mail parameter
eternyle
High
CVE-2023-2550
Business Logic Error username empty bypass
ahmedvienna
not applicable
XSS @ records
hatlesswizard
Medium
CVE-2023-1759
stored XSS Protection bypass by changing the User Profile Name
ahmedvienna
Medium
CVE-2023-1875
weak Password Policy while creating a new User with the Admin Account
ahmedvienna
Medium
CVE-2023-1753
XSS @ group
hatlesswizard
Medium
CVE-2023-1754
XSS @ Stop Words
hatlesswizard
Medium
CVE-2023-1884
Stored XSS @ updatecategory
hatlesswizard
Medium
CVE-2023-1879
The faqusername parameter in admin/index.php has stored xss
wanan0red
duplicate
High
Unrestricted User Registration via Captcha Bypass
7h3h4ckv157
duplicate
High
Reflected XSS in send2friend.php
tsarsecurity
High
CVE-2023-1880
Stored XSS in the adminlog functionality.
tsarsecurity
High
CVE-2023-1878
The improper restriction allows any account to add new FAQ.
isdkrisna
informative
High
User with only "edit" can delete post and somethimes can add post
isdkrisna
High
CVE-2023-1887
Captcha Bypass allows sending unlimited Comments
ahmedvienna
High
CVE-2023-1886
stored XSS in the Comments Field
ahmedvienna
duplicate
High
stored HTML-Injection in the Comments Part
ahmedvienna
Medium
CVE-2023-1761
Privilege escalation from user with "add user" to super admin
isdkrisna
High
CVE-2023-1762
stored XSS in the Category Field Name
josefjku
Medium
CVE-2023-1885
stored XSS after XSS Filter Bypass through exporting an HTML-Document
ahmedvienna
Medium
CVE-2023-1756
stored HTML Injection in PDF Export
ahmedvienna
not applicable
Remote code execution in langEditor.php
mariovata
self closed
Stored XSS on Real name
kevinkien
informative
High
Broken access control - Someone still can comment in unactive FAQ NEWS
isdkrisna
Medium
CVE-2023-1883
XSS in hyperlink when create FAQ News
isdkrisna
High
CVE-2023-1757
XSS in Comment Faq news username parameter
isdkrisna
High
CVE-2023-1758
Stored XSS on Configuration Version
isdkrisna
High
CVE-2023-1755
Stored XSS edit Config Link
isdkrisna
High
CVE-2023-1882
Stored xss real name
isdkrisna
High
CVE-2023-1760
No Sesssion Termination after Password Change
ahmedvienna
not applicable
stored Blind XSS in Admin Panel through FAQ-Proposal leads to Admin Full Account...
ahmedvienna
High
CVE-2023-0786
Stored XSS in the FAQ Change Name Parameter
ahmedvienna
informative
High
Name Field and all other required Fields Bypass while doing FAQ Proposals
ahmedvienna
High
CVE-2023-0880
FAQ Proposal E-Mail Field Bypass - no Email needed
ahmedvienna
duplicate
High
IDOR allows to archive any Account including the ADMIN Account and lockout the A...
ahmedvienna
spam
important E-Mail Input Field bypassed allowing Account Lockout and Takeover
ahmedvienna
High
CVE-2023-0790
stored HTML-Injection in the FAQ-Proposal
ahmedvienna
High
CVE-2023-0789
stored HTML-Injection throuth the Question Form
ahmedvienna
High
CVE-2023-0788
stored XSS through Question sending
josefjku
High
CVE-2023-0787
stored XSS in the Question Part
josefjku
self closed
stored HTML Injection
josefjku
duplicate
High
Stored XSS - allows stealing Admin and Users Cookies
josefjku
High
CVE-2023-0791
stored HTML-Injection
ahmedvienna
informative
Medium
Stored HTML Injection
ahmedvienna
High
CVE-2023-0794
No Password Policy at all during Registration and and Password Change allows Acc...
ahmedvienna
High
CVE-2023-0793
HTML-Injection
ahmedvienna
Medium
CVE-2023-0792
Code Injection to all user's browser - Via Super User
7h3h4ckv157
informative
High
Stored XSS in Add question can load admin account takeover
leminv
duplicate
Critical
Stored XSS in Add new question
leminv
Critical
CVE-2023-0306
Stored XSS in Add new category
leminv
duplicate
Critical
Weak password at demo website version 3.1.9
uonghoangminhchau
Medium
CVE-2023-0307
Stored XSS via username
christynorl
duplicate
Critical
Stored XSS in admin panel (users page)
mohamedabdelhady933
High
CVE-2023-0308
Stored XSS in FAQ comments
mohamedabdelhady933
Critical
CVE-2023-0310
Blind Stored XSS in admin panel (open question page)
mohamedabdelhady933
High
CVE-2023-0309
Blind Stored XSS in administration panel
mohamedabdelhady933
High
CVE-2023-0312
Bypass All Captchas in the application
mohamedabdelhady933
Medium
CVE-2023-0311
Reflect XSS Which can help in any CSRF Vulnerability
aggressiveuser
Medium
CVE-2023-0314
Stored XSS on User Management, Category, Add New FAQ, Add News and Configuration
baharuddinzulkifli
Medium
CVE-2023-0313
Reflect Cross Site Scripting
aggressiveuser
Critical
CVE-2022-4407
Missing CSRF protection
7h3h4ckv157
Medium
CVE-2022-4408
TLS Cookie without `secure` flag at https://roy.demo.phpmyfaq.de
sl4x0
Medium
CVE-2022-4409
Remote Code Execution via add_instance action
ugniusv
informative
Critical
Authenticated SQL injection via filename & update-instance parameters
ugniusv
High
Unauthenticated stored XSS via username & name parameters
ugniusv
High
SQL Injection inside instance name leads to Remote Code Execution
xanhacks
Critical
SQL Injection via lang parameter/RCE when PostgreSQL is used
ugniusv
Critical
XSS Stored inside website title
xanhacks
Low
XSS Stored inside Admin logs
xanhacks
High
XSS stored in Category name
xanhacks
Medium
SQL Injection inside category creation (checkIfCategoryExists)
xanhacks
High
Account privilege escalation from "restore backup" permission to admin account
xanhacks
duplicate
Medium
RCE - Execution of PHP code from user input (Code Injection)
xanhacks
not applicable
Stored Cross-site scripting
sk4rl1ght
High
CVE-2022-3765
Weak Password Requirement
sk4rl1ght
High
CVE-2022-3754
Reflect Cross Site Scripting when search
sk4rl1ght
High
CVE-2022-3766
Stored XSS and possible RCE/LFI in case of misconfiguration
mike993
High
CVE-2022-3608
Cross-Site Request Forgery (CSRF)
khanhchauminh
Low
Account Takeover
akshayravic09yc47
informative
Critical
Stored XSS via Editing config
jhond0e
High
$5
Cross-Site Request Forgery (CSRF)
ktg9
Medium
$7.5
Cross-Site Request Forgery (CSRF)
justinp09010
Low
$7.5
Cross-Site Request Forgery (CSRF)
ktg9
Medium
$7.5
Cross-site Scripting (XSS) - Stored
0x7zed
High
$35
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
0x7zed
Medium
$25
huntr: thorsten/phpmyfaq